Computer implemented cover process approximating quantifier elimination

ABSTRACT

A computer implemented cover process is disclosed for use in program analysis and verification techniques where existential quantifier elimination is not possible. The cover process allows an accurate assessment of the viability of a theory. Where a theory can be described using quantifier-free formulas, it can be shown that the program analysis and verification techniques using cover are not only sound (i.e., an indication of validity is reliable), but also precise (i.e., and indication of an error is reliable).

BACKGROUND

A significant objective of program analysis and verification is todetermine that a given software code performs its intended functionscorrectly, to ensure that it performs no unintended functions, and toprovide information about its quality and reliability. Flaws in theoverall design of software generally lead to bugs and problems in theimplementation of the software. Several techniques currently exist forverifying software design and requirements. Two well known techniquesinclude symbolic model checking and abstract interpretation.

Qualitatively, symbolic model checking involves the definition of systemrequirements or design (called models) and a property (called thespecification) that the final system is expected to satisfy. The modelchecking construct indicates whether a specified model satisfies givenspecifications, and if it does not, indicates why the model does notsatisfy the specification. Abstract interpretation consists of providingseveral semantics linked by relations of abstraction. A semantic is amathematical characterization of the possible behaviors of the program.

At a fundamental level, program analysis and verification techniquessuch as model checking and abstract interpretation make use ofexistential quantifier elimination. An existential quantifier is alogical symbol “∃” that allows potential simplification of a formula byeliminating some set of variables V from the formula.

Given a quantifier-free formula φ and a set of variables V,existentially quantifying away V involves computing a quantifier-freeformula that is logically equivalent to ∃V: φ. This operation is usefulin practice to eliminate variables that are no longer necessary from aformula. For instance, the image computation in symbolic model checkinginvolves computing the quantifier-free formula equivalent to ∃V: R(V)

T(V,V′). Here, R(V) represents the current set of reachable states and T(V,V′) represents the transition relation between the current values ofthe state variables V and their new values V′. Existential QuantifierElimination is also useful in computing the strongest postconditionacross an assignment node in abstract interpretation, wherein theinvariant I′ after an assignment node x:=e is obtained from theinvariant I before the assignment node by performing the followingcomputation: ∃x′I[x′/x]

x=e[x′/x].

Existential quantifier elimination can be performed, albeit withexponential complexity, for propositional formulas. However, thisoperation is not defined for formulas containing interpreted symbolsfrom certain theories. For example, consider the formula F(x)=0 in thetheory of uninterpreted functions. There is no quantifier-free formulathat is equivalent to ∃x: F(x)=0 as it is not possible to state that 0is in the range of function F without using quantifiers. Similarly, thetheory of lists and the theory of arrays do not admit existentialquantifier elimination. This limits the application of techniques likesymbolic model checking to systems described by formulas in thesetheories.

There exist techniques to approximate existential quantifier eliminationwhen it does not exist (as in the above-cited instances of uninterpretedformulas, the theory of lists and the theory of arrays). Such techniquesguarantee soundness in performing program analysis and verificationtechniques. That is, when these approximations indicate that a programverifies true, that is an accurate result. These approximations aredisclosed for example in the publications T. Ball and S. K. Rajamani,“The SLAM project: Debugging system software via static analysis,” In29th Annual Symposium on POPL, pages 1-3, 2002, and S. Chaki et al.,“Modular verification of software components in C,” Transactions onSoftware Engg., 30(6):388-402, 2004.

However, conventional approximation theories are not precise inperforming program analysis and verification techniques whereexistential quantifier elimination is not possible. That is, they can onoccasion give a false indication that a program embodies a flaw, when infact it does not.

SUMMARY

The present system, roughly described relates to a cover process andmethods of applying the cover process. The cover process may be used inprogram analysis and verification techniques where existentialquantifier elimination is not possible. The cover process allows anaccurate assessment of the viability of a system, both in verifying thevalidity and falsity of the system. Where a system is known to includean error, a program analysis and verification technique using cover maydemonstrate where the error occurs in the system.

Typically, existential quantifier elimination is used in programverification techniques such as symbolic model checking to determinewhether a computer program, or other system or model, is valid for itsintended purposes or whether it has an error. However, on occasion, theprogram verification technique involves a formula for which existentialquantifier elimination cannot be used. The present system relates to acomputer implemented cover process for approximating formulas for whichexistential quantifier elimination may not be used. The cover process iscapable of providing a result indicating whether a program, or othersystem or model, is valid for its intended purposes or whether it has anerror.

The cover process may be implemented within a computing environment, andmay provide a result which may be stored within and reported by thecomputing environment. As used herein, reporting the results mayinclude, but is not limited to, displaying the results over a monitorassociated with the computing environment, printing the results with aprinter associated with the computing environment, sending the resultsto a speaker associated with the computing environment, communicatingthe result over a transmission medium, and sending the results to a filefor storage or use by another application program.

The cover process can be used to reason about transition systemsinvolving operations from the rich set of theories for which the coveroperation is defined. When the transition system can be described usingquantifier-free formulas, it can be shown that the symbolic modelchecking process using cover is not only sound (i.e., an indication ofvalidity is reliable), but also precise (i.e., an indication of an erroris reliable). A similar application is shown with respect to performingabstract interpretation of programs over abstractions whose elements arequantifier-free formulas describing program states.

The present system may further show how program analysis techniquesusing cover may be applied to useful theories that arise in programanalysis and verification, including those that do not admit existentialquantifier elimination. These theories include the theory ofuninterpreted functions, the theory of lists and the theory of arrays.Cover is trivially defined for propositional formulas and theory oflinear arithmetic, as cover, by definition, reduces to existentialquantifier elimination when it exists. It is understood that embodimentsof the present system may be used with program analysis techniques otherthan symbolic model checking and abstract interpretation, and it isunderstood that the present system may be used to approximate formulasthat do not admit existential quantifier elimination other than thetheory of uninterpreted functions, the theory of lists and the theory ofarrays.

The present system relating to cover processes may further be used toobtain a cover process for a combination of two theories T₁∪T₂ from thecover processes for theories T₁ and T₂. The combination methodology isan extension of the known Nelson-Oppen methodology for combiningdecision procedures. In the combination framework for cover processes,conditional variable equalities (of the form γ

v₁=v₂) and variable-term equalities (of the form γ

v=t) are exchanged between component theories (while in the Nelson-Oppenframework only variable equalities are exchanged between componenttheories). The combination process works for theories that are convex,stably infinite, disjoint, and have a finite set of simple terms, asdefined hereinafter. The theories of linear arithmetic and uninterpretedfunctions, for example, satisfy these constraints.

DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of a method of model checking a model for validityand errors.

FIG. 2 is a flowchart for determining whether set of reachable states inthe model checking method of FIG. 1 interesects with an error state.

FIG. 3 is a flowchart for computing the set of steps that can be reachedin one step from the set of steps that can be reached i−1 steps in themodel checking method of FIG. 2.

FIG. 4 is a flowchart illustrating the steps in applying a cover processto the model checking method of FIG. 3.

FIG. 5 is a block diagram of a computing system environment capable ofimplementing the present system.

DETAILED DESCRIPTION

The present system will now be described with reference to FIGS. 1through 5 which in general relate to the notion referred to herein ascover, and a process referred to herein as the cover process. Informulas where existential quantifier elimination is not possible,program analysis and verification techniques employing cover are notonly sound, but they are precise. That is, when the analysis andverification process terminates, any error reported is guaranteed to bea real error in the system.

Typically, existential quantifier elimination is used in programverification techniques such as symbolic model checking to determinewhether a computer program, or other system or model, is valid for itsintended purposes or whether it has an error. However, on occasion, theprogram verification technique involves a formula for which existentialquantifier elimination cannot be used. The present system relates to acomputer implemented cover process for approximating formulas for whichexistential quantifier elimination may not be used. The cover process iscapable of providing a result indicating whether a program, or othersystem or model, is valid for its intended purposes or whether it has anerror.

The cover process may be implemented within a computing environmentexplained hereinafter with respect to FIG. 5, and may provide a resultwhich may be stored within and reported by the computing environment. Asused herein, reporting the results may include, but is not limited to,displaying the results over a monitor associated with the computingenvironment, printing the results with a printer associated with thecomputing environment, sending the results to a speaker associated withthe computing environment, communicating the result over a transmissionmedium, and sending the results to a file for storage or use by anotherapplication program.

In the description that follows, the concept of cover is firstexplained. Next, description sets forth the specific application ofcover to two known program analysis and verification techniques—symbolicmodel checking and abstract interpretation. In particular, a modifiedsymbolic model checking process using the cover operation is presented.This new process can be used to reason about transition systemsinvolving operations from the rich set of theories for which the coveroperation is defined. As indicated, when the transition system can bedescribed using quantifier-free formulas, it can be shown that thesymbolic model checking process using cover is not only sound, but alsoprecise. A similar application is shown with respect to performingabstract interpretation of programs over abstractions whose elements arequantifier-free formulas describing program states.

Following that, the description shows the application of programanalysis techniques using cover to some useful theories that arise inprogram analysis and verification, including those that do not admitexistential quantifier elimination, such as the theory of uninterpretedfunctions, the theory of lists and the theory of arrays. Cover istrivially defined for propositional formulas and theory of lineararithmetic, as cover, by definition, reduces to existential quantifierelimination when it exists. It is understood that embodiments of thepresent system may be used with program analysis techniques other thansymbolic model checking and abstract interpretation, and it isunderstood that the present system may be used to approximate formulasthat do not admit existential quantifier elimination other than thetheory of uninterpreted functions, the theory of lists and the theory ofarrays.

Lastly, the description sets forth how the notion of cover may be usedas an extension of the known Nelson-Oppen methodology to obtain a coverprocess for a combination of two theories T₁∪T₂. However, in thecombination framework, conditional variable equalities (of the form γ

v₁=v₂) and variable-term equalities (of the form γ

v=t) are exchanged between component theories. The combination processworks for theories that are convex, stably infinite, disjoint, and havea finite set of simple terms, as defined hereinafter. The theories oflinear arithmetic and uninterpreted functions, for example, satisfythese constraints.

Qualitatively, a cover process is a method which allows a sound andprecise approximation of formulas in theories that do not admitexistential quantifier elimination. In case a theory does not admitexistential quantifier elimination, conventional program analysis andverification techniques cannot be applied with both soundness andprecision. However, it has been found that in order indicate that thesystem is valid or contains an error it is enough to determine anapproximation of quantifier elimination, using the notion of cover

It is noted that there is no universal method of applying cover to agiven theory. That is, determining a cover process for a first theorymay do nothing to inform the determination of a cover process of asecond theorem. However, where a first theory may be simplified orexpressed in terms of a second theory, a cover process for the secondtheory may have application to a first theory. For example, as explainedhereinafter, using the cover algorithm for uninterpreted functions canbe used to design cover algorithms for the theory of lists and arraysusing cover, as the theory of lists and arrays may both be expressed interms of uninterpreted functions.

Cover may defined for a quantifier-free formula φ, containinginterpreted symbols from theory T and a set of variables V, as: C_(T)V:φ (called the cover of φ with respect to V in T). This is the mostprecise quantifier-free formula in T that is implied by ∃V: φ. Formally,the cover operation satisfies the following constraints:

(∃V:φ)

_(T)(C_(T)V:φ)

((∃V: φ)_(T)γ)_(T)((C_(T)V: φ)_(T)γ), for all quantifier-free formulas γWhen the theory T is obvious from context, the subscript T may bedropped from the notation and the cover may be referred to simply as CV:φ.

Intuitively, applying the cover operation on a formula with respect to Veliminates all variables in V from the formula. However, the resultingformula only retains quantifier-free facts pertaining to other variablesin the formula. For an example, let φ be the formulay=Mem(a+x)−Mem(b+x), where Mem is an uninterpreted function. Using coverto eliminate the variable x:

(Cx:y=Mem(a+x)−Mem(b+x))≡(a=b

y=0)

∃x: φ implies the right hand side of the above equation. This is themost precise quantifier-free formula that is implied by φ and that doesnot involve x. A process is provided in the Appendix A attached heretoto computes the cover of this formula. Applying cover does not retainquantified facts. For example, Cx: φ does not imply the fact (∀x:Mem(a+x)=Mem(b+x))

y=0, while ∃x: φ does.

This distinguishing fact of cover allows this operation to be definedfor several useful theories including those that do not admitexistential quantifier elimination. A significant application of thecover process is to allow symbolic model checking to reason abouttransition systems that involve rich operations from theories likeuninterpreted functions, lists, and arrays. Such systems naturally arisein program analysis and software verification. Further details relatingto conventional symbolic model checking systems are disclosed in EdmundM. Clarke, Jr., et al., “Model Checking,” MIT Press, 1999, whichpublication is incorporated by reference herein in its entirety.

Referring to FIG. 1, qualitatively, a model checking operation involvescomputing all possible sets of reachable states of the model underconsideration (step 100). The model checking operation also computes allpossible error states (step 102). The model then determines whether aset of the reachable states intersects an error state (step 104). If so,the model has an error. The fact of the error is stored (step 106) andreported (step 108). As indicated above reporting may include one ormore of the steps of displaying, printing, playing over a speaker,communicating the result over a transmission medium, and sending theresults to a file for storage or use by another application program. Thestep of reporting may include other tangible results in alternativeembodiments.

The model determines no set of the reachable states intersects an errorstate in step 104, the model is operationally sound. This result isstored (step 110) and reported (step 112).

A transition system can be described by the tuple (V, I(V), T(V_(old),V_(new)), E(V)), where V represents the set of state variables, I(V) isa formula describing the set of initial states, T (V_(old), V_(new)) isa formula describing the transition relation between the old valuesV_(old) and new values V_(new) of the variables in V, and E(V) is aformula describing the set of error states. For clarity, if φ(V) is aformula with variables from V, φ(V′) may be used to be the formulaobtained from φ by renaming each variable in V with the correspondingvariable in V′.

Referring to FIG. 2, given a transition system, the symbolic modelchecking process computes the set of reachable states R(V) iterativelyin step 120 as follows (steps 122 and 124):

R₀(V)≡I(V)  [1]

R_(i)(V)≡R_(i−1)(V)

(∃V_(old):R_(i−1)(V_(old))

T(V_(old), V)) for i>0  [2]

Referring to FIG. 3, equation [2] represents the set of steps that canbe reached in one step from the set of steps that can be reached i−1steps (step 130). This iteration reaches a fix point at n if and only ifR_(n)(V)

R_(n−1)(V). At this point, R_(n)(V) is an inductive invariant of thetransition system. Also, if R_(n)(V)

−E(V) then the system does not reach an error state.

A transition system (V, I(V), T(V_(old), V_(new)), E(V)) isquantifier-free when the formulas I(V), T(V_(old), V_(new)), and E(V)are all quantifier-free. Where the system admits existentialquantification, the quantifier may be eliminated from all such terms(step 134) and all reachable states may be determined (step 136).

However, in practice, transition systems arising from most softwareverification applications are not quantifier-free. For such systems, anew symbolic model checking process may be provided that uses the coveroperation (step 138) instead of existential quantification. This newprocess is both sound (reliable when proving a formula) and precise(reliable when disproving a formula). Moreover, this process terminateswhenever the original model checking process terminates.

In the discussion below, it is assume that the transition system usesoperations from a theory T, such as the union of the theory of reals,uninterpreted functions, lists, and arrays. The cover operations areperformed with respect to this theory. An actual cover process is setforth hereinafter in connection with the disclosure of the coverfunction applied to the theory of uninterpreted functions, lists andarrays.

Recall that there exists ∃V_(old):φ, where φ=R_(i−1)(V_(old))

T(V_(old), V). This shown as step 144 in FIG. 4. The symbolic modelchecking (“SMC”) process using cover may be used to compute the set ofreachable states CR(V) iteratively as follows:

CR₀(V)≡I(V)  [3]

CR_(i)(V)≡CR_(i−1)(V)

(CV_(old):CR_(i−1)(V_(old))

T(V_(old),V)) for i>0  [4]

CR_(i)(V) determines the set of reachable states determined using thecover operation after i iterations. The fix point is reached, as before,at point n when CR_(n)(V)

CR_(n−1)(V).

It is noted that the equations [3] and [4] are identical to theconventional symbolic model checking equations from [1] and [2] above,with the exception that the ∃V_(old) term has been replaced by the coverterm CV_(old). In the equations [3] and [4] above, the set of reachablestates R(V) is computed using the cover process to compute φ′ from φ,where φ′=φ without the old variable V_(old) (step 146). It is noted thataccording to the cover process, φ′ is implied by φ (step 148). That is,φ′ is an approximation of φ. φ′ is also the strongest formula thatsatisfies steps 146 and 148 (step 150). That is, it turns out the φ isnot necessary to determine all reachable states. All reachable statesmay alternatively be determined using the approximation φ′ of φ. Oncethe cover process is applied (step 138, FIG. 3), all reachable statesmay then be determined (step 140) as if quantifier elimination had beenused.

Lemma 1. Given a quantifier-free transition system (V, I(V), T(V_(old),V_(new)), E(V)), CR_(n)(V)

φ if and only if R_(n)(V)

φ for all quantifier-free formulas φ.

The proof is by induction on i and relies on the fact that, in eachiteration, the cover operation maintains all quantifier-free factsrelated to the state variables. In effect, this lemma ensures that theSMC-Cover process maintains all quantifier-free invariants of thesystem. Using Lemma 1 and the following properties 1 and 2 of cover, theresult stated in Theorem 1 may be proven.

Property 1. CV: CW: φ(V, W)≡CV, W: φ(V, W)

Property 2. CV: ∃W: φ(V, W)≡CV: CW: φ(V, W)

Theorem 1. Given a transition system (V, I(V), T(V_(old), V_(new)),E(V)), where both T(V_(old), V_(new)) and E(V) are quantifier-free, thenthe symbolic model checking process using cover is sound and precise.Furthermore, the symbolic model checking process using cover terminateswhenever the symbolic model checking process terminates.

Abstract Interpretation is a well-known methodology to analyze programsover a given abstraction. Such a methodology is described for example inP. Cousot and R. Cousot, “Abstract interpretation: A unified latticemodel for static analysis of programs by construction or approximationof fixpoints,” In POPL, 1977, which publication is incorporated byreference herein in its entirety. An abstract interpreter performs aforward analysis on the program computing invariants (which are elementsof the underlying abstract lattice over which the analysis is beingperformed) at each program point. The invariants are computed at eachprogram point from the invariants at the preceding program points in aniterative manner using appropriate transfer functions.

Most of the abstract interpreters that have been described in literatureoperate over an abstraction whose elements are usually a conjunction ofatomic predicates in some theory, for example linear arithmetic (See,e.g., Cousot and N. Halbwachs, “Automatic discovery of linear restraintsamong variables of a program,” In 5th ACM Symposium on POPL, pages84-96, 1978) and for example uninterpreted functions (See, e.g., S.Gulwani and G. C. Necula, “A polynomial-time algorithm for global valuenumbering,” In Static Analysis Symposium, volume 3148 of LNCS, pages212-227, 2004). These abstractions cannot reason about disjunctiveinvariants in programs and there is a loss of precision at join pointsin programs.

Abstractions whose elements are boolean combinations of atomicpredicates in an appropriate theory can reason about disjunctiveinvariants in programs. The join operation (required to mergeinformation at join points) for such an abstraction is simplydisjunction, while the meet operation (required to gather informationfrom conditional nodes) is simply conjunction. However, the strongestpost-condition operation (required to compute invariants acrossassignment nodes) is non-trivial. In fact, it is exactly the coveroperation for the underlying theory. Hence, a cover operation for atheory can be used to perform abstract interpretation of programs overan abstraction whose elements are quantifier-free formulas over thattheory.

A sample computer code is shown below whose loop invariant (required toprove the assertion) can be generated using cover operation:

void foo(int* a, int* b) {  int y = 0; int x = *;  while(*) {y = y +a[x] − b[x]; x = *; }  if (y ≠ 0) {assert(a ≠ b); } }No existing abstract interpreter is known to the inventors that canprove the assertion in the program. For this, abstract interpretation isneeded over the abstraction of quantifier-free formulas in the combinedtheory of linear arithmetic and uninterpreted functions. Analyzing thefirst loop iteration involves computing the strongest post-condition ofy=0 with respect to the assignment y:=y+a[x]−b[x] (in the abstraction ofquantifier-free formulas), which is equivalent to computing Cx′, y′:(y′=0

y=y′+Mem(a+x′)−Mem(b+x′)

x=*), where Mem denotes the deference operator and can be regarded as anuninterpreted function. This yields the formula a=b

y=0, which also turns out to be the loop invariant and hence fixed pointis reached in the next loop iteration.

Furthermore, the invariant computed at the end of the procedure can beturned into a procedure summary by eliminating the local variables ofthe procedure, again by using the cover operation. Procedure summariesare useful in performing a context-sensitive reasoning of a program in amodular fashion.

The following description presents cover processes for some usefultheories that arise in program analysis and software verification. Onlythose theories that do not admit existential quantifier elimination areconsidered. It is understood that the present system may to additionaltheories, whether they admit existential quantifier elimination or not.

Property 3. The cover operation distributes over disjunctions, i.e.,

(CV:(φ₁

φ₂))≡(CV:φ₁)

(CV:φ₂)

Hence, without loss of any generality, it can be assumed that theformula φ that is an input to a cover process is a conjunction of groundfacts.

The cover process for theory of uninterpreted functions is given in theAppendix A to this application. The process assumes that there are onlybinary uninterpreted functions, but it can be easily extended to handleuninterpreted functions of any arity. A significant observation used inthe process is that if φ implies (s₁≠t₁

. . .

s_(a)≠t_(a))

(s′₁=t′₁

. . .

s′_(b)=t′₁), then it must be the case that φ implies (s₁=t₁

. . .

s_(a)=t_(a))

s′_(i)=t′_(i) for some 1≦i≦b. Lines 12 and 14 in the functionComputeCover_(uf) (φ) compute all such implied equalities.

Line 1 involves computing a congruence closed graph G that representsthe equalities implied by φ. G is a set of congruence classes, and eachcongruence class is a set of nodes n, where a node is either a variabley, or a F-node F(c₁, c₂) for some congruence classes c₁ and c₂. Twonodes n₁ and n₂ in G are in the same congruence class if and only if φimplies n₁=n₂. The function Rep(c) returns a representative term forclass c that does not involve any variables in V, if any such termexists; otherwise it returns ⊥.

Line 2 calls procedure Mark that takes a congruence closed graph G and aset of variables V as inputs, and sets M[n] to 1 for F-nodes n if andonly if node n in G becomes undefined if variables V are removed from G.An F-node F(c₁,c₂) is undefined if and only if classes c₁ or c₂ areundefined. A class c is undefined if and only if it contains allundefined nodes. The function AllMark takes a congruence class c as aninput and returns true if and only if all nodes in c are marked.

Lines 5 through 8 compute W[n₁, n₂], which denotes the weakestconstraint not involving variables in V and which along with φ impliesn₁=n₂. W[n₁,n₂] is first initialized to Init(n₁,n₂), which returns aconstraint not involving variables in V and which along with φ impliesn₁=n₂. W[n₁,n₂] is then updated in a transitive closure style.

Line 4 initializes result to all equalities and disequalities that areimplied by φ and that do not involve any variables in V. Lines 12 and 14then update result by conjoining it with all implied equalities that areimplied by φ and that do not involve any variable from V. Lines 11-12can be treated as a special case of lines 13-14 when the context Z doesnot contain any holes (i.e., k=0).

The following shows an example of the cover operation over the theory ofuninterpreted functions.

$\begin{matrix}{{{Formula}\mspace{14mu} \varphi \text{:}\mspace{14mu} s_{1}} = {{{F( {z_{1},v} )}\bigwedge s_{2}} = {{{F( {z_{2},v} )}\bigwedge t} = {F( {{F( {y_{1},v} )},{F( {y_{2},v} )}} )}}}} & \lbrack 5\rbrack \\{{{\mathbb{C}}\; v\text{:}\mspace{14mu} \varphi {\text{:}\mspace{20mu} \bigwedge\limits_{i,{j\; ɛ{\{{1,2}\}}}}\mspace{14mu} y_{1}}} = {{z_{1}\bigwedge y_{2}} = { z_{j}\Rightarrow t  = {F( {s_{1},s_{j}} )}}}} & \lbrack 6\rbrack\end{matrix}$

The formula [6] can be obtained from the formula [5] by applying theprocess given in Appendix B (described below) as follows. Let n₁ be thenode F(y₁,v), n₂ be the node F(y₂,v), and n be the node F(n₁,n₂).W[s₁,n₁] is the constraint z₁=y₁ and W[s₁,n₂] is the constraint z₂=y₁.Consider the context Z[n₁,n₂]=F(n₁,n₂). By choosing the node m₁ to be s₁and m₂ to be s₁ in line 13, the formula z₁=y₁

z₂=y₁

t=F(s₁,s₁) may be obtained in line 14, and so on.

The complexity of the process described in Appendix B can be exponentialin the size of the input formula φ. This is because there can be anexponential number of ways of choosing an appropriate sequence of knodes m₁, . . . , m_(k) in line 13. Hence, the size of the cover canitself be exponential in size of the input formula φ. The formula φ in[5] can be easily generalized to obtain a formula of size O(n) whosecover is of size O(2^(n)).

For the special case when the formula φ involves only unaryuninterpreted functions, the cover process involves erasing variables inV from congruence closure of φ. Equivalently, the process only involvesLines 1 through 4 in the ComputeCover procedure described in Appendix B.The complexity of the cover process for unary uninterpreted functions isthus O(n log n), where n is the size of the input formula.

The theory of lists involves three interpreted symbols car, cdr, andcons, which can be used to reason about lists and structures inprograms. Further detail relating to the theory of lists are set forthin D. C. Oppen, “Complexity, convexity and combinations of theories,” InTheoretical Computer Science, volume 12, pages 291-302, 1980, whichpublication is incorporated by reference herein in its entirety. Apartfrom the axioms from the theory of uninterpreted functions, this theoryinvolves the axiom ∀x, y: car(cons(x, y))=x

cdr(cons(x,y))=y.

Using the insight from Oppen, incorporated in the previous paragraph,the cover process for the theory of lists involves eliminating theoccurrence of the cons symbol from a formula and reasoning entirely inthe theory of uninterpreted functions. The process relies on thefollowing lemma.

Lemma 2. Given a quantifier-free formula φ in the theory of lists thatdoes not contain the cons symbol, then C_(lists)V: φ≡C_(uf)V: φ

With respect to the algorithm below, given a quantifier-free formulaφ(V) involving variables from V, one can construct an equisatisfiableformula φ′(V, V′) without the cons symbol as follows. Replace each termcons(x, y) in the formula by a new variable v′ and conjoin the formulawith car(v′)=x

cdr(v′)=y. If V′ is the set of all the introduced new variables, the newformula φ′(V, V′) satisfies the property that φ(V)≡∃V′: φ′(V, V′). UsingProperty 1, Property 2, and Lemma 2:

C_(lists)W:φ(V)≡C_(uf)W,V′:φ′(V,V′).

The cover process for the theory of lists involves applying the coverprocess for uninterpreted functions, described above, on φ′(V, V′). Ascar and cdr are unary functions, one can apply the optimizationdescribed above with respect to uniary uninterpreted functions.

The theory of arrays involves two interpreted symbols, select andupdate, such that ∀a, i, v, j: select(update(a, i, v), j)=ite(i=j, v,select(a, j)). Here, ite is the if-then-else operator that returns thesecond argument when the predicate in the first argument is true and thethird argument. The cover process for the theory of arrays is verysimilar to the theory of lists. Informally, the process is similar tothe cover process for the theory of lists described above. It involvesiteratively eliminating the update symbol from the input formula andthen invokes the cover process for the uninterpreted functions.

The following describes how to obtain a cover process for combination oftwo theories T₁∪T₂ from the cover processes for the individual theoriesT₁ and T₂. The combination methodology is based on extension ofNelson-Oppen methodology for combining decision procedures for twotheories. Nelson and Oppen provided a framework for deciding formulasover multiple theories by modularly combining decision procedures forthe different theories. Their framework is described in a paper: G.Nelson and D. C. Oppen, “Simplification by cooperating decisionprocedures,” ACM Transactions on Programming Languages and Systems,(TOPLAS), 2(1):245 257, 1979, which paper is incorporated by referenceherein in its entirety. As a result of this methodology, therestrictions on theories that allow for efficient combination of theirdecision procedures (namely, convexity, stably infiniteness, anddisjointness) also transfer to the context of combining cover processesfor those theories.

The Nelson-Oppen methodology for combining decision procedures involvessharing variable equalities v=u between the formulas in the twotheories. For combining cover processes, variable-term equalities (i.e.,equalities between variables and terms) also need to be shared apartfrom variable equalities. Furthermore, these equalities may also beconditional on any predicate. More formally, the general form ofequalities that are shared between the two formulas in the two theoriesis γ

v=t, where γ is a formula that does not involve any variable to beeliminated, and either v and t are both variables (in which case werefer to it as a conditional variable equality) or v is a variable thatneeds to be eliminated and t is a term that does not involve anyvariable to be eliminated (in which case we refer it to as a conditionalvariable-term equality). The terms t are restricted to come from a setthat may be referred to as set of simple terms (See Definition 1 below).

Some notation is provided for the description of the cover process forcombination of two theories.

Definition 1 (Set of Simple Terms). A set S is a set of simple terms forvariable v with respect to a formula φ in theory T (denoted bySST_(T)(v, φ)), if for all conjunctions of atomic predicates γ such thatv∉Vars(γ), and all terms t that are distinct from v:

v∉Vars(S) and Vars(S)⊂Vars(φ)

(γ

φ

_(T) v=t)

∃t′εSs.t.(γ

φ

>_(T) v=t′)

(γ

φ

_(T) t=t′)

The theories of linear arithmetic and uninterpreted functions admit afinite set of simple terms for their formulas. The following theoremsdescribe how to compute a set of simple terms for a formula in thecorresponding theory.

Theorem 2 (Set of Simple Terms for Linear Arithmetic). Let φ be theformula

${\overset{n}{\bigwedge\limits_{i = 1}}v} \leq {a_{i}\bigwedge{\overset{m}{\bigwedge\limits_{i = 1}}v}} \geq {b_{i}\bigwedge{\overset{n^{\prime}}{\bigwedge\limits_{i = 1}}v}} < {a_{i}^{\prime}\bigwedge{\overset{m^{\prime}}{\bigwedge\limits_{i = 1}}v}} > {b_{i}^{\prime}\bigwedge{\varphi^{\prime}.}}$

where v∉Vars(φ′), v∉Vars(a_(i)) and v∉Vars(b_(i))). Then,

{a_(i)}_(i = 1)^(n)

is SST_(ta)(v, φ).

Theorem 3 (Set of Simple Terms for Uninterpreted Functions). Let φ be aformula over the theory of uninterpreted functions. Let G be thecongruence closure of φ. Let S be a set that contains a representativeterm not involving v for each congruence class in G (if any such termexists). Then S is SST_(uf)(v, φ).

The proofs of Theorem 2 and Theorem 3 are given in full in the paper byGulwani and M. Musuvathi, “Cover algorithms and their combination,”Technical Report MSR-TR-2006-09, Microsoft Research, January 2006, whichpaper is incorporated by reference herein in its entirety.

The notation WC_(T)(φ, δ, V) may be used to denote

C_(T)V: φ

δ. Intuitively, WC_(T)(φ, δ, V) denotes the weakest constraint thattogether with φ implies δ and that does not involve any variable fromset V.

The notation Num(T) may be used for any theory T to denote the maximumnumber of variables that may occur in any atomic predicate in theory T.For example, Num(T)=2 for difference logic (theory of linear arithmeticwith only difference constraints) as well as for theory of unaryuninterpreted functions.

The procedure ComputeCover_(T1∪T2) in Appendix B takes as input aformula φ and a set of variables V to be eliminated and computesC_(T1∪T2)V: φ using the cover processes for theories T₁ and T₂. Line 1performs purification of φ, which involves decomposing φ (which is aconjunction of atomic predicates in the combined theory T₁∪T₂) intoconjunctions of atomic predicates that are either in theory T₁ or in T₂by introducing a fresh variable for each alien term in φ. The set of allsuch fresh variables is referred to as U, while V′ denotes the set ofall variables that we need to eliminate from φ₁

φ₂. Lines 4 to 11 repeatedly exchange conditional variable equalitiesand conditional variable-term equalities between φ₁ and φ₂. Lines 13 and14 call the procedure ComputeSimpleCover_(T), which takes as inputs aset of variables V, a formula φ in theory T, and a formula F of the formγ_(i)

_(T′)v_(i)=t_(i) (where v_(i)εV and T′ is any theory) such thatV∩(Vars(γ_(i))∪Vars(t_(i)))=0, and computes C_(T∪T′)V: φ

F.

The proof of correctness (including termination) of the algorithmComputerCover_(T1∪T2) is non-trivial and is given in the paper toGulwani and M. Musuvathi, previously incorporated by reference. A briefsketch of the proof follows. Let γ_(i)'s be some atomic predicates thatdo not involve variables in V and furthermore φ

γ₁

. . .

γ_(k). Yhe formula ComputeCover_(T1∪T2) (V, φ)

γ₁

. . .

γ_(k) is shown to be unsatisfiable by simulating the decision procedurefor theory T1∪T2 based on Nelson-Oppen's combination methodology (withthe knowledge of the Nelson-Oppen proof of unsatisfiability of theformula φ

γ₁

. . .

γ_(k)).

The complexity of the cover process for combination of two theories isan exponential (in size of the input formula φ and cardinality of itsset of simple terms) factor of the complexity of the cover processes forindividual theories. For combination of difference logic (theory oflinear arithmetic with only difference constraints) and unaryuninterpreted functions, which is a useful combination that occurs inpractice, the cover process can be simplified and it runs in timepolynomial in size of the input formula φ.

Some examples of computation of cover are now presented for the combinedtheory of linear arithmetic (la) and uninterpreted functions (uf).Example 2 demonstrates the importance of sharing variable-termequalities, while example 3 demonstrates the importance of sharingconditional equalities.

Example 2

Compute Cl_(a∪uf){v₁, v₂}: φ, where φ is (a≦v₁₊₁

v₁≦a−1

v₂≦b

v₁=F(v₃)

v₂=F(F(v₃))), for some uninterpreted function F.

First, φ is decomposed into pure formulas φ₁ and φ₂:

φ₁=(a≦v ₁+1

v ₁ ≦a−1

v ₂ ≦b)

φ₂=(v ₁ =F(v ₃)

v ₂ =F(F(v ₃))

Then, variable-term equalities are shared between φ₁ and φ₂ as follows:

$\varphi_{1}\overset{\mspace{20mu} {v_{1} = {a - 1}}\mspace{34mu}}{arrow}\mspace{14mu} {\varphi_{2}\overset{\mspace{25mu} {v_{2} = {F{({a - 1})}}}\mspace{14mu}}{arrow}\varphi_{1}}$

Then, C_(ta){x, u₁, u₂, u₃, u₄}: φ₁

v₂=F(a−1) may be computed to obtain the result F(a−1)≦b. The coverprocess for linear arithmetic does not need to understand the termF(a−1) and can just treat it as some fresh variable.

Example 3

Compute C_(ta∪uf)x: φ, where φ is (y=Mem(a+x)−Mem(b+x)) for someuninterpreted function Mem.

Purifying φ, φ₁ and φ₂ may be obtained by introducing new variables u1,u₂, u₃, u₄.

φ₁=(y=u ₁ −u ₂

u ₃ =a+x

u ₄ =b+x)

φ₂=(u ₁ =Mem(u ₃)

u ₂ =Mem(u ₄))

Conditional equalities may then be shared between φ₁ and φ₂ as follows:

$\varphi_{1}\overset{\mspace{25mu} {a = {{b\Rightarrow u_{3}} = u_{4}}}\mspace{25mu}}{arrow}{\varphi_{2}\overset{\mspace{25mu} {a = {{b\Rightarrow u_{1}} = u_{2}}}\mspace{25mu}}{arrow}\varphi_{1}}$

Then, C_(ta){x, u₁, u₂, u₃, u₄}: φ₁a=bu₁=u₂ may be computed to obtainthe result a=by=0.

As set forth above, the notion of cover presents the most precisequantifier-free over-approximation to existential quantifierelimination. Also, the notion of cover can be parameterized by types offormulas that one is interested in. Instead of generating the mostprecise quantifier-free formula, one may be interested in formulas thatare conjunctions of, for example, atomic predicates, or at most kdisjunctions of atomic predicates, or implications of the form φ₁

φ₂, where φ₁ and φ₂ are conjunctions of atomic predicates in variablesV₁ and V₂ respectively. The latter may be useful in computing proceduresummaries, where V₁ and V₂ denote the set of input and output variablesrespectively.

FIG. 5 illustrates an example of a suitable general computing systemenvironment 200 that may comprise any processing device shown herein onwhich the inventive system may be implemented. The computing systemenvironment 200 is only one example of a suitable computing environmentand is not intended to suggest any limitation as to the scope of use orfunctionality of the inventive system. Neither should the computingsystem environment 200 be interpreted as having any dependency orrequirement relating to any one or combination of components illustratedin the exemplary computing system environment 200.

The inventive system is operational with numerous other general purposeor special purpose computing systems, environments or configurations.Examples of well known computing systems, environments and/orconfigurations that may be suitable for use with the inventive systeminclude, but are not limited to, personal computers, server computers,multiprocessor systems, microprocessor-based systems, set top boxes,programmable consumer electronics, network PCs, minicomputers, mainframecomputers, laptop and palm computers, hand held devices, distributedcomputing environments that include any of the above systems or devices,and the like.

With reference to FIG. 5, an exemplary system for implementing theinventive system includes a general purpose computing device in the formof a computer 210. Components of computer 210 may include, but are notlimited to, a processing unit 220, a system memory 230, and a system bus221 that couples various system components including the system memoryto the processing unit 220. The system bus 221 may be any of severaltypes of bus structures including a memory bus or memory controller, aperipheral bus, and a local bus using any of a variety of busarchitectures. By way of example, and not limitation, such architecturesinclude Industry Standard Architecture (ISA) bus, Micro ChannelArchitecture (MCA) bus, Enhanced ISA (EISA) bus, Video ElectronicsStandards Association (VESA) local bus, and Peripheral ComponentInterconnect (PCI) bus also known as Mezzanine bus.

Computer 210 may include a variety of computer readable media. Computerreadable media can be any available media that can be accessed bycomputer 210 and includes both volatile and nonvolatile media, removableand non-removable media. By way of example, and not limitation, computerreadable media may comprise computer storage media and communicationmedia. Computer storage media includes both volatile and nonvolatile,removable and non-removable media implemented in any method ortechnology for storage of information such as computer readableinstructions, data structures, program modules or other data. Computerstorage media includes, but is not limited to, random access memory(RAM), read only memory (ROM), EEPROM, flash memory or other memorytechnology, CD-ROMs, digital versatile discs (DVDs) or other opticaldisc storage, magnetic cassettes, magnetic tapes, magnetic disc storageor other magnetic storage devices, or any other medium which can be usedto store the desired information and which can be accessed by computer210. Communication media typically embodies computer readableinstructions, data structures, program modules or other data in amodulated data signal such as a carrier wave or other transportmechanism and includes any information delivery media. The term“modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia includes wired media such as a wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media. Combinations of any of the above are also includedwithin the scope of computer readable media.

The system memory 230 includes computer storage media in the form ofvolatile and/or nonvolatile memory such as ROM 231 and RAM 232. A basicinput/output system (BIOS) 233, containing the basic routines that helpto transfer information between elements within computer 210, such asduring start-up, is typically stored in ROM 231. RAM 232 typicallycontains data and/or program modules that are immediately accessible toand/or presently being operated on by processing unit 220. By way ofexample, and not limitation, FIG. 5 illustrates operating system 234,application programs 235, other program modules 236, and program data237.

The computer 210 may also include other removable/non-removable,volatile/nonvolatile computer storage media. By way of example only,FIG. 5 illustrates a hard disc drive 241 that reads from or writes tonon-removable, nonvolatile magnetic media and a magnetic disc drive 251that reads from or writes to a removable, nonvolatile magnetic disc 252.Computer 210 may further include an optical media reading device 255 toread and/or write to an optical media.

Other removable/non-removable, volatile/nonvolatile computer storagemedia that can be used in the exemplary operating environment include,but are not limited to, magnetic tape cassettes, flash memory cards,DVDs, digital video tapes, solid state RAM, solid state ROM, and thelike. The hard disc drive 241 is typically connected to the system bus221 through a non-removable memory interface such as interface 240,magnetic disc drive 251 and optical media reading device 255 aretypically connected to the system bus 221 by a removable memoryinterface, such as interface 250.

The drives and their associated computer storage media discussed aboveand illustrated in FIG. 5, provide storage of computer readableinstructions, data structures, program modules and other data for thecomputer 210. In FIG. 5, for example, hard disc drive 241 is illustratedas storing operating system 244, application programs 245, other programmodules 246, and program data 247. These components can either be thesame as or different from operating system 234, application programs235, other program modules 236, and program data 237. Operating system244, application programs 245, other program modules 246, and programdata 247 are given different numbers here to illustrate that, at aminimum, they are different copies. A user may enter commands andinformation into the computer 210 through input devices such as akeyboard 262 and a pointing device 261, commonly referred to as a mouse,trackball or touch pad. Other input devices (not shown) may include amicrophone, joystick, game pad, satellite dish, scanner, or the like.These and other input devices are often connected to the processing unit220 through a user input interface 260 that is coupled to the system bus221, but may be connected by other interface and bus structures, such asa parallel port, game port or a universal serial bus (USB). A monitor291 or other type of display device is also connected to the system bus221 via an interface, such as a video interface 290. In addition to themonitor, computers may also include other peripheral output devices suchas speakers 297 and printer 296, which may be connected through anoutput peripheral interface 295.

The computer 210 may operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computer280. The remote computer 280 may be a personal computer, a server, arouter, a network PC, a peer device or other common network node, andtypically includes many or all of the elements described above relativeto the computer 210, although only a memory storage device 281 has beenillustrated in FIG. 5. The logical connections depicted in FIG. 5include a local area network (LAN) 271 and a wide area network (WAN)273, but may also include other networks. Such networking environmentsare commonplace in offices, enterprise-wide computer networks, intranetsand the Internet.

When used in a LAN networking environment, the computer 210 is connectedto the LAN 271 through a network interface or adapter 270. When used ina WAN networking environment, the computer 210 typically includes amodem 272 or other means for establishing communication over the WAN273, such as the Internet. The modem 272, which may be internal orexternal, may be connected to the system bus 221 via the user inputinterface 260, or other appropriate mechanism. In a networkedenvironment, program modules depicted relative to the computer 210, orportions thereof, may be stored in the remote memory storage device. Byway of example, and not limitation, FIG. 5 illustrates remoteapplication programs 285 as residing on memory device 281. It will beappreciated that the network connections shown are exemplary and othermeans of establishing a communication link between the computers may beused.

The foregoing detailed description of the inventive system has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the inventive system to theprecise form disclosed. Many modifications and variations are possiblein light of the above teaching. The described embodiments were chosen inorder to best explain the principles of the inventive system and itspractical application to thereby enable others skilled in the art tobest utilize the inventive system in various embodiments and withvarious modifications as are suited to the particular use contemplated.It is intended that the scope of the inventive system be defined by theclaims appended hereto.

APPENDIX A Cover Process for Theory of Uninterpreted Functions

ComputeCover_(uf) (φ, V ) = 1 Let G be the congruence closure of φ. 2Mark(G,V ) ; 3 let G′ be the graph obtained from G after removing allodes n s.t. M[n] = 1; 4 result ← all equalities and disequalitiesimplied by G′; // Compute W[n₁,n₂2] 5 forall nodes n₁, n₂ ε G: W[n₁, n₂]← Init(n₁, n₂); 6 forall nodes n ε G: 7 forall nodes n₁,n₂ ε G: 8W[n₁,n₂] ← W[n₁,n₂]

(W[n₁,n]

W[n,n₂]); // Compute result 9 let N_(e) = {n | n ε G, M[n] = 1, CRep(n)≠ ⊥}; 10 forall nodes n ε N_(e) 11 forall nodes m ε G s.t. W[m,n] ≠false: 12 result ← result

(W[n,m] CRep(n) = CRep(m)); 13 forall contexts Z[n₁, . . ., n_(k)] s.t.n = Z[n₁ , . . ., n_(k)], Vars(Z) ∩ V = Ø, n_(i) ε N_(e) for 1 ≦ i ≦ k14 forall nodes m₁ , . . , m_(k) ε G s.t. W[n_(i),m_(i)] ≠ false andCRep(m_(i)) ≠ ⊥ for 1 ≦ i ≦ k: 15 result ← result

$( { ( {\overset{k}{\bigwedge\limits_{i = 1}}{W\lbrack {c_{i},d_{i}} \rbrack}} )\Rightarrow{C\; {Re}\; {p(n)}}  = {Z\lbrack {{C\; {Re}\; {p( m_{1} )}},\ldots \mspace{11mu},{C\; {Re}\; {p( m_{k} )}}} \rbrack}} );$16 return result; Mark(G,V) = forall nodes n ε G: M[n] ← 0; forallvariables y ε V : M[y] ← 1; while any change forall nodes F(c₁, c₂) : ifAllMark(c₁)

AllMark(c₂ ), M[F(c₁, c₂] ← → l; AllMark(c) = forall nodes n in class c:if M[n] = 0, return false; return true; Init(n₁,n₂ ) = if Class (n₁ ) =Class (n₂ ), return true; if n₁ = F(c₁,c₂) and n₂ = F(c′₁, c′₂) ifRep(c₁) ≠ ⊥

Rep(c′₁) ≠ ⊥

c₂ = c′₂, return Rep(c₁) = Rep(c′₁); if Rep(c₂) ≠ ⊥

Rep(c₂) ≠ ⊥

c₁ = c′₂, return Rep(c₂ ) = Rep(c′₂); return Init(c₁, c′₁)

Init(c₂,c₂); return false; Rep(c) = if AllMark(c) return ⊥; if c has avariable y s.t. M[y] = 0, return y; let F(c₁, c₂ ) be the node s.t.M[F(c₁, c₂)] = 0. return F(Rep(c₁), Rep(c₂)); CRep(n) = return Rep(Class (n));

APPENDIX B Cover process for combination of two theories T₁∪T₂.

ComputeCover _(T1∪T2) (V, φ) = 1 φ₁, φ₂ = Purify(φ); let U be thevariables introduced during Purify(φ); 2 let V′ = V ∪ U; 3 F₁ ← true; F₂← true; 4 repeat until no change: 5 for j = 1, 2: ^(n) 6 let

γ¹

v₁ = u_(i) be some conditional variable equalities implied by F_(3-j) ;^(i=1) 7 let$ {\bigwedge\limits^{m}\delta_{i}}\Rightarrow w_{i}  = t_{i}$be some conditional variable-term equalities implied by F_(3-j) ; ^(i=1)9 $\begin{matrix}{{{{l{et}}\mspace{14mu} \psi} = {\overset{n}{\bigwedge\limits_{i = 1}}{\gamma_{i}\bigwedge{\overset{m}{\bigwedge\limits_{i = 1}}\delta_{i}}}}};} \\{{{{let}\mspace{14mu} {E\overset{k}{\bigwedge\limits_{i = 1}}v_{i}}} = u_{i}};} \\{{{{l{et}}\mspace{14mu} W} = {V^{\prime} - \{ {w_{i}{1 \leq u \leq m}} \}}};} \\{{{{let}\mspace{14mu} S_{v}} \equiv {SST}_{T}};{( {v,{{\mathbb{C}}_{T};{{W - \{ v \}}:{\varphi\bigwedge E}}}} )\mspace{20mu} \text{for any variable v;}}}\end{matrix}\quad$ 10 11 $\begin{matrix}{{  F_{j}arrow{F_{j}\bigwedge{\bigwedge\limits_{v_{1},{v_{2} \in V^{\prime}}}{{\psi\bigwedge W}\; {{C_{Tj}( {{\varphi_{j}\bigwedge E},{v_{1} = v_{2}},W} )}\lbrack {t_{i}/w_{i}} \rbrack}}}} \Rightarrow v_{1}  = v_{2}}} \\{{\bigwedge{\bigwedge\limits_{{v \in V^{\prime}},{t \in S_{v}}}{{\psi\bigwedge W}\; {C_{T}( {{\varphi_{j}\bigwedge E},{v = t},W} )}\lfloor { {t_{i}/w_{i}}\Rightarrow v  = t} \rfloor}}}}\end{matrix}\quad$ 12 let F′_(j) be the conjunction of all impliedvariable-term equalities γ v_(i) = t_(i) implied by F_(j) s.t. Vars(γ₁)∩ V′ = Ø (for j = 1, 2); 13 let a₁ = ComputeSimpleCover_(T1) (V′, φ₁,F′₂); 14 let a₂ = ComputeSimpleCover_(T2) (V′, φ₂, F′₁); 15 return a1

a₂; ComputesimpleCover_(T) (φ, V, F) = result ← ComputeCover(V, φ);forall collections$ {\overset{m}{\bigwedge\limits_{i\; - 1}}\delta_{i}}\Rightarrow w_{i}  = t_{i}$of conditional variable-term equalities implied by F s.t. m ≦ Num(T) andw′_(i) are all distinct variables: let${\gamma = {\overset{n}{\bigwedge\limits_{i = 1}}\gamma_{i}}};{{letW} = {V - \{ W_{l} \middle| {1 \leq i \leq m} \}}};$result ← result

(y ‰ ComputeCover(W, φ) [t_(i)/w_(i)]); return result;

1. A computing system environment configured, at least in part, toperform a method of determining a reliability of a system including aniterative formula φ and a set of variables V, the method comprising thestep of: (a) determining a formula φ′ when the formula φ does not admitexistential quantifier elimination, such that φ′ does not involve anyvariables in V and is the most precise quantifier-free formula that isimplied by φ.
 2. A computing system environment as recited in claim 1,further comprising the step of using quantifier elimination to removethe variables that occur in V from the formula φ, when the formula φadmits quantifier elimination;
 3. A computing system environment asrecited in claim 1, wherein the formula φ contains one or moreuninterpreted function symbols.
 4. A computing system environment asrecited in claim 1, wherein the formula φ contains symbols from a theoryof lists.
 5. A computing system environment as recited in claim 1,wherein the formula φ contains symbols from a theory of arrays.
 6. Acomputing system environment as recited in claim 1, wherein computerimplemented method of determining the reliability of a system is asymbolic model checking method.
 7. A computing system environment asrecited in claim 1, wherein computer implemented method of determiningthe reliability of a system is an abstract interpretation method.
 8. Asymbolic model checking method of determining the reliability of atransition system described by the tuple (V, I(V), T(V_(old), V_(new)),E(V)), where V represents the set of state variables, I(V) is a formuladescribing the set of initial states, T (V_(old), V_(new)) is a formuladescribing the transition relation between the old values V_(old) andnew values V_(new) of the variables in V, and E(V) is a formuladescribing the set of error states, wherein the formulas I(V) and T(V_(old), V_(new)) do not admit existential quantification, the methodcomprising the steps of: (a) computing the set of reachable states CR(V)iteratively from an initial state CR₀(V)≡I(V), and an i^(th) stateCR_(i)(V)≡CR_(i−1)(V)

(CV_(old): CR_(i−1)(V_(old))

T(V_(old), V)) for i>0, where the expression (CV_(old):CR_(i−1)(V_(old))

T(V_(old), V)) represents a set of steps that can be reached in one stepfrom the set of steps that can be reached in i−1 Steps, and where thei^(th) state CR_(i)(V) is an approximation of the i^(th) stateR_(i−1)(V)

(∃V_(old): R_(i−1)(V_(old))

T(V_(old), V)) for i>0 if the formulas I(V) and T (V_(old), V_(new))admitted existential quantifier elimination; (b) determining all sets oferror states E(V); (c) determining the reliability of the transitionsystem by whether there is an intersection between the reachable statesdetermined in said step (a) and the error states determined in said step(b); and (d) reporting the reliability determined in said step (c).
 9. Amethod as recited in claim 8, wherein the formulas I(V) and T (V_(old),V_(new)) contain one or more uninterpreted function symbols.
 10. Amethod as recited in claim 8, wherein the formulas I(V) and T (V_(old),V_(new)) contain symbols from a theory of lists.
 11. A method as recitedin claim 8, wherein the formulas I(V) and T (V_(old), V_(new)) containsymbols from a theory of arrays.
 12. A method as recited in claim 8,further comprising a step (d) of determining all error states for themodel.
 13. A method as recited in claim 12, further comprising a step(e) of determining whether there is an intersection between allreachable states determined in said steps (b) or (c) and the errorstates determined in said step (d).
 14. A method as recited in claim 13,wherein a determination in said step (e) of no intersection indicates avalid model.
 15. A method as recited in claim 14, wherein adetermination in said step (e) of an intersection indicates errors inthe model.
 16. A method as recited in claim 15, wherein an indication ofvalidity is reliable and an indication of an error is reliable wheresaid formula φ does not admit existential quantification.
 17. Anabstract interpretation method of determining the strongestpostcondition across an assignment node in abstract interpretation,comprising the steps of: (a) computing an invariant I′ after anassignment node x:=e from the invariant I before the assignment node byan abstraction that eliminates the variable x from I and e; and (b)reporting the invariant I′ determined in said step (a).
 18. A method asrecited in claim 17, wherein the invariant I′ contains one or moreuninterpreted function symbols.
 19. A method as recited in claim 17,wherein the invariant I′ contains symbols from a theory of lists.
 20. Amethod as recited in claim 17, wherein the invariant I′ contains symbolsfrom a theory of arrays.